Privacy Rule Enforcement Highlights

November 20, 2007

The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients’ medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare and Medicaid; most doctors, hospitals and many other health care providers; and health care clearinghouses. These standards provide patients with access to their medical records and significant control over how their personal health information is used and disclosed. Compliance with the standards was required as of April 14, 2003 for most entities covered by HIPAA. On that date, the Office of Civil Rights (OCR) began accepting complaints involving the privacy of personal health information in the health care system.

Enforcement Results as of October 31, 2007:

HHS / OCR has investigated and resolved over 5,299 cases by requiring changes in privacy practices and other corrective actions by the covered entities. Corrective actions obtained by HHS from these entities have resulted in change that is systemic and affects all the individuals they serve. HHS has successfully enforced the Privacy Rule by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity including:

National pharmacy chains;

Major medical centers;

Health plans;

Hospital chains; and

Small provider offices.

In another 2,583 cases, HIPAA investigations found no violation had occurred.

In the rest of the completed cases (16,809), HHS determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. These include cases in which:

OCR lacks jurisdiction under HIPAA – such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by the Privacy Rule;

the complaint is untimely, or withdrawn or not pursued by the filer;

the activity described does not violate the Rule – such as when the covered entity has disclosed protected health information in circumstances in which the Rule permits such a disclosure.

Since the compliance date in April 2003, HHS has received over 31,194 HIPAA Privacy complaints. They have resolved three quarters of complaints received (over 24,691): through investigation and enforcement (over 5,299), through investigation and finding no violation (2,583) and through closure of cases that were not eligible for enforcement (16,809).

The compliance issues investigated most frequently are, in order of frequency:

OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rule. As of October 31, 2007, OCR made over 415 such referrals to DOJ.

CMS Referrals

OCR refers cases that describe a potential violation of the HIPAA Security Rule to the Centers for Medicare and Medicaid Services (CMS). As of October 31, 2007, OCR has made over 216 such referrals to CMS. In the referred cases that describe potential violations of both the HIPAA Privacy and Security Rules, OCR and CMS coordinate the investigations.

Outreach and Education

HHS also obtains privacy compliance through outreach and education efforts. OCR has reached hundreds of thousands of covered entities and consumers through educational conferences, a toll-free call line, and an interactive website. HHS has had over 5.5 million visits to its Privacy Web pages and over 4.3 million visits to the frequently asked questions on the Privacy Web pages. HHS has distributed announcements and educational information to over 18,000 subscribers to the Privacy list serve.